Update mcollective.init according to OSCI-855

[packages/precise/mcollective.git] / spec / unit / ssl_spec.rb

#!/usr/bin/env rspec

require 'spec_helper'

module MCollective
  describe SSL do
    before do
      @rootdir = File.dirname(__FILE__)
      @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem")
    end

    it "should be able to decode base64 text it encoded" do
      @ssl.base64_decode(@ssl.base64_encode("foo")).should == "foo"
    end

    it "should decrypt what it encrypted with RSA" do
      crypted = @ssl.aes_encrypt("foo")
      decrypted = @ssl.aes_decrypt(crypted[:key], crypted[:data])

      decrypted.should == "foo"
    end

    it "should be able to decrypt using RSA private key what it encrypted with RSA public key" do
      crypted = @ssl.rsa_encrypt_with_public("foo")
      decrypted = @ssl.rsa_decrypt_with_private(crypted)

      decrypted.should == "foo"
    end

    it "should be able to decrypt using RSA public key what it encrypted with RSA private key" do
      crypted = @ssl.rsa_encrypt_with_private("foo")
      decrypted = @ssl.rsa_decrypt_with_public(crypted)

      decrypted.should == "foo"
    end

    it "using a helper it should be able to decrypt with private key what it encrypted using the public key" do
      @ssl.decrypt_with_private(@ssl.encrypt_with_public("foo")).should == "foo"
      @ssl.decrypt_with_private(@ssl.encrypt_with_public("foo", false), false).should == "foo"
    end

    it "using a helper it should be able to decrypt with public key what it encrypted using the private key" do
      @ssl.decrypt_with_public(@ssl.encrypt_with_private("foo")).should == "foo"
      @ssl.decrypt_with_public(@ssl.encrypt_with_private("foo", false), false).should == "foo"
    end

    describe "#initialize" do
      it "should default to aes-256-cbc" do
        @ssl.ssl_cipher.should == "aes-256-cbc"
      end

      it "should take the configured value when present" do
        Config.instance.stubs("ssl_cipher").returns("aes-128-cbc")
        @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem")

        @ssl.ssl_cipher.should == "aes-128-cbc"
      end

      it "should set the supplied ssl cipher" do
        @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem", nil, "aes-128-cbc")
        @ssl.ssl_cipher.should == "aes-128-cbc"
      end

      it "should prefer the supplied cipher over configured cipher" do
        Config.instance.stubs("aes_key_size").returns("foo-foo-foo")
        @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem", nil, "aes-128-cbc")

        @ssl.ssl_cipher.should == "aes-128-cbc"
      end

      it "should fail on invalid ciphers" do
        expect {
          @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem", nil, "foo-foo-foo")
        }.to raise_error("The supplied cipher 'foo-foo-foo' is not supported")
      end
    end

    describe "#read_key" do
      it "should fail on non exiting files" do
        expect {
          @ssl.read_key(:public, "/nonexisting")
        }.to raise_error("Could not find key /nonexisting")
      end

      it "should fail on existing, empty files" do
        File.expects(:exist?).with('key').returns(true)
        File.expects(:zero?).with('key').returns(true)
        expect{
          @ssl.read_key(:public, 'key')
        }.to raise_error("public key file 'key' is empty")
      end

      it "should fail on unknown key types" do
        expect {
          @ssl.read_key(:unknown, @ssl.public_key_file)
        }.to raise_error("Can only load :public or :private keys")
      end

      it "should read a public key" do
        @ssl.read_key(:public, "#{@rootdir}/../fixtures/test-public.pem")
      end

      it "should read the public key from a certificate" do
        @ssl.read_key(:public, "#{@rootdir}/../fixtures/test-cert.pem").to_s.should match(/.+BEGIN.+PUBLIC KEY.+END.+PUBLIC KEY.+/m)
      end

      it "should return nil if no key was given" do
        @ssl.read_key(:public).should == nil
      end

      it "should return nil if nil key was given" do
        @ssl.read_key(:public, nil).should == nil
      end

      it "should clear the OpenSSL error queue on ruby 1.8" do
        Util.expects(:ruby_version).returns("1.8.7")
        OpenSSL.expects(:errors)
        @ssl.read_key(:public, "#{@rootdir}/../fixtures/test-public.pem")
        @ssl.read_key(:private, "#{@rootdir}/../fixtures/test-private.pem")
      end

      it "should not clear the OpenSSL error queue on ruby > 1.8" do
        Util.expects(:ruby_version).returns("1.9.3")
        OpenSSL.expects(:errors).never
        @ssl.read_key(:public, "#{@rootdir}/../fixtures/test-public.pem")
        @ssl.read_key(:private, "#{@rootdir}/../fixtures/test-private.pem")
      end
    end

    describe "#base64_encode" do
      it "should correctly encode" do
        @ssl.base64_encode("foo").should == "Zm9v\n"
        SSL.base64_encode("foo").should == "Zm9v\n"
      end
    end

    describe "#base64_decode" do
      it "should correctly decode" do
        @ssl.base64_decode("Zm9v").should == "foo"
        SSL.base64_decode("Zm9v").should == "foo"
      end
    end

    describe "#aes_encrypt" do
      it "should create a key and data" do
        crypted = @ssl.aes_encrypt("foo")

        crypted.include?(:key).should == true
        crypted.include?(:data).should == true
      end
    end

    describe "#aes_decrypt" do
      it "should decrypt correctly given key and data" do
        key = @ssl.base64_decode("rAaCyW6qB0XqZNa9hji0qHwrI3P47t8diLNXoemW9ss=")
        data = @ssl.base64_decode("mSthvO/wSl0ArNOcgysTVw==")

        @ssl.aes_decrypt(key, data).should == "foo"
      end

      it "should decrypt correctly given key, data and cipher" do
        key = @ssl.base64_decode("VEma3a/R7fjw2M4d0NIctA==")
        data = @ssl.base64_decode("FkH6qLvKTn7a+uNPe8ciHA==")

        # the default aes-256-cbc should fail here, the key above is 128 bit
        # the exception classes changed mid-1.9.2 :(
        if OpenSSL.constants.include?("CipherError")
          expect { @ssl.aes_decrypt(key, data) }.to raise_error(OpenSSL::CipherError)
        else
          expect { @ssl.aes_decrypt(key, data) }.to raise_error(OpenSSL::Cipher::CipherError)
        end

        # new ssl instance configured for aes-128-cbc, should work
        @ssl = SSL.new("#{@rootdir}/../fixtures/test-public.pem", "#{@rootdir}/../fixtures/test-private.pem", nil, "aes-128-cbc")
        @ssl.aes_decrypt(key, data).should == "foo"
      end
    end

    describe "#md5" do
      it "should produce correct md5 sums" do
        # echo -n 'hello world'|md5sum
        @ssl.md5("hello world").should == "5eb63bbbe01eeed093cb22bb8f5acdc3"
      end
    end
    describe "#sign" do
      it "should sign the message without base64 by default" do
        SSL.md5(@ssl.sign("hello world")).should == "8269b23f55945aaa82efbff857c845a6"
      end

      it "should support base64 encoding messages" do
        SSL.md5(@ssl.sign("hello world", true)).should == "8a4eb3c3d44d22c46dc36a7e441d8db0"
      end
    end

    describe "#verify_signature" do
      it "should correctly verify a message signed using the same keypair" do
        @ssl.verify_signature(@ssl.sign("hello world"), "hello world").should == true
        @ssl.verify_signature(@ssl.sign("hello world", true), "hello world", true).should == true
      end

      it "should fail to verify messages not signed by the key" do
        @ssl.verify_signature("evil fake signature", "hello world").should == false
      end
    end

    describe "#decrypt_with_public" do
      it "should decrypt correctly given key and data in base64 format" do
        crypted = {:key=> "YaRcSDdcKgnRZ4Eu2eirl/+lzDgVkPZ41kXAQQNOi+6AfjdbbOW7Zblibx9r\n3TzZAi0ulA94gqNAXPvPC8LaO8W9TtJwlto/RHwDM7ZdfqEImSYoVACFNq28\n+0MLr3K3hIBsB1pyxgFTQul+MrCq+3Fik7Nj7ZKkJUT2veyqbg8=",
          :data=>"TLVw1EYeOaGDmEC/R2I/cA=="}

        @ssl.decrypt_with_public(crypted).should == "foo"
      end
    end

    describe "#decrypt_with_private" do
      it "should decrypt correctly given key and data in base64 format" do
        crypted = {:key=> "kO1kUgJBiEBdoajN4OHp9BOie6dCznf1YKbBnp3LOyBxcDDQtjxEBlPmjQve\npXrQJ5xpLX6oNBxzU18Pf2SKYUZSbzIkDUb97GQY0WoBQsdM2OwPXH+HtF2A\no5N8iIx9srPAEAFa6hZAdqvcmRT/SzhP1kH+Gyy8fyvW8HGBjNY=",
          :data=>"gDTaHCmes/Yua4jtjmgukQ=="}

        @ssl.decrypt_with_private(crypted).should == "foo"
      end
    end

    describe "#decrypt_with_private" do
      it "should fail if not given a key" do
        expect {
          @ssl.decrypt_with_private({:iv => "x", :data => "x"})
        }.to raise_error("Crypted data should include a key")
      end

      it "should fail if not given data" do
        expect {
          @ssl.decrypt_with_private({:iv => "x", :key => "x"})
        }.to raise_error("Crypted data should include data")
      end
    end

    describe "#decrypt_with_public" do
      it "should fail if not given a key" do
        expect {
          @ssl.decrypt_with_public({:iv => "x", :data => "x"})
        }.to raise_error("Crypted data should include a key")
      end

      it "should fail if not given data" do
        expect {
          @ssl.decrypt_with_public({:iv => "x", :key => "x"})
        }.to raise_error("Crypted data should include data")
      end
    end

    describe "#uuid" do
      it "should produce repeatable uuids" do
        SSL.uuid("hello world").should == SSL.uuid("hello world")
      end

      it "should not always produce the same uuid" do
        SSL.uuid.should_not == SSL.uuid
      end
    end
  end
end